The personal blog of Peter Lee a.k.a. "China Hand"... Life is a comedy to those who think, a tragedy to those who feel, and an open book to those who read. You are welcome to contact China Matters at the address chinamatters --a-- prlee.org or follow me on twitter @chinahand.

Wednesday, February 11, 2015

Did America Accidentally Give the World’s Most Powerful Cyberweapon to Terrorists?

Next time Brian Williams or his carefully-coiffed successor
assigns blame to some foreign actor for a cyberoutrage, I expect the “Cyber
Threats Intelligence Integration Center” to figure prominently in the coverage.

White House cybersecurity coordinator
Michael Daniel has concluded that cyberintelligence at the moment is bedeviled
by the same shortcomings that afflicted terrorism intelligence before 9/11 —
bureaucracy, competing interests, and no streamlined way to combine analysis
from various agencies, the official said.

The hack on Sony's movie subsidiary,
for example, resulted in a variety of different analytical papers from various
agencies. Each one pointed to North Korea, but with varying degrees of
confidence.

Unlike the National Counter Terrorism
Center, which gets most of its information from intelligence agencies, the new
cyberagency may rely to a much larger extent on private companies, which are
regularly seeing and gathering cyberintelligence as they are hit with attempts
by hackers to break into their networks.

Gathering threat signatures, and
profiling hacker groups, has become a key component of collecting
cyberintelligence — a discipline practiced both by government agencies and
private firms.

Hmmm.

On the issue of prevention, I am rather skeptical of the “we
will gather all the hay in the world in one gigantic stack and sift through it in
real time to find the needle” assumption, though I remain optimistic that it
will fund tuition payments for intel bureaucrats and contractors for many years
into the future.

On the other hand, I believe that the CTIIC (or “Stick” ™ as
I hope they are already calling it) will perform yeoman service on the key
matter of promptly and effectively documenting and evangelizing the US
government’s case in the attribution of cyberattacks that have already
occurred.

As I argued in various venues recently with reference to the
Sony hack, for purposes of semiotics (clear messaging, positioning, blame
avoidance, and signaling of US government intentions) if not forensics (proving
whodunit), painting a convincing, action-worthy cyberbullseye on the back of
some foreign enemy is a major challenge for governments these days.

When some high-profile outrage like Sony occurs, the US
government has to make a prompt show of control, capability, and resolve.Letting a bunch of data nerds chew over the
data for a few weeks and spit up an equivocal conclusion like “It looks like
the same guys who did this did that, and maybe the guys who did that were…”
doesn’t quite fill the bill.

Which is pretty much what happened on Sony.Various private sector and government actors
all stuck their oar in, contradictory opinions emerged, messaging was all over
the map.

“Stick” ™ fixes that.By establishing a central clearing house for relevant information, the
US government is on the right side of the information symmetry equation.“You say you think this, but you don’t know
this, this, and this, or the stuff we can’t tell you because it’s classified
above your clearance.”

And even if the real takeaway from the investigatory process
still is “It looks like the same guys who did this did that, and maybe the guys
who did that were…” it comes out as “The Cyber Threats Intelligence Integration
Center has attributed this cyberattack to North Korea with a high degree of
confidence.By Executive Order, the
President has already commanded CyberCommand to make a proportional response.”

You get the picture.

So I expect jobs one and two and three for CTIIC will be to
generate persuasive dossiers for backgrounding, leaking, whatever on the PRC,
North Korea, and the Russian Federation, to be deployed when some mysterious
alchemy of evidence, circumstance, and strategy dictate that one of them has to
get tagged as The Bad Guy for some cyberoutrage.

Especially if the cyberoutrage has the American government’s
own fingerprints all over it—which is apparently not a remote contingency.

A document from the Snowden trove reveals that the NSA posited that the high-profile Shamoon attack on Aramco in August 2012, which was attributed to Iran, was retaliation for the
“Wiper” virus unleashed on the Iranian oil industry a few months before. Wiper, according to Kaspersky, bore a distinct resemblance to acknowledged US/Israeli jointly-developed anti-Iran malware like Stuxnet.

Just as a reminder, in a speech to business bigwigs, the CIA Director at the time, Leon Panetta,
characterized Shamoon as an unprovoked attack--indeed a "Cyber Pearl Harbor"--against a private
corporation, apparently in an effort to persuade corporations they had a
lot of skin in the national cybersecurity game.

The inference that Shamoon was plausibly 1) retaliation for US/Israeli
dirty tricks and 2) using US/Israel's own dirty trickbag, casts an
interesting sidelight on Panetta's remarks. Maybe the true significance
of his speech was that the US government now realized US interests were vulnerable to
effective cyber-retaliation, and it was time to play the "foreign
menace" card in order to inoculate the US security establishment
against rather well-founded suspicions that its own cyber-shenanigans
might result in heightened threats and gigantic costs for US
corporations that otherwise might not have a dog in the global
cyberfight. You know, like Sony.

But there was more to the story than PO'd Iranians fighting back. The rapid Iranian
counterattack had itself incorporated elements of the Wiper software.

The NSA document from
April 2013, published today by The Intercept, shows the US intelligence community is worried that Iran has learned
from attacks like Stuxnet, Flame and Duqu—all of which were created by the same
teams—in order to improve its own capabilities.

Wiper was the first
known data destruction attack of its kind. Although the NSA document doesn’t
credit the US and its allies for launching the attack, Kaspersky researchers
found that it shared some circumstantial hallmarks of the Duqu and Stuxnet
attacks, suggesting that Wiper might have been created and unleashed on Iran by
the US or Israel.

And there’s more. Lots more.

Wiper is also believed to have
inspired a destructive attack that struck computers belonging to banks and
media companies in South Korea in March 2013. That attack wiped the hard drives
and Master Boot Record of at least three banks and two media companies
simultaneously and reportedly put some ATMs out of operation, preventing South
Koreans from withdrawing cash from them. The report does not suggest that Iran
was behind this attack.

Wiper is also widely believed to have
been inspiration for the recent hack of Sony Pictures Entertainment. Again, in
the latter attack, the hackers wiped data from Sony systems and overwrote parts
of the Master Boot Record, preventing systems from rebooting.

In other words, the Sony hack: Made in America!

Unsurprisingly, the theme of the NSA document was anxiety
that America’s enemies were turning its own weapons against it.The immediate focus was Iran, but the NSA
could and should be more anxious that it unwittingly augmented China’s cyber
arsenal.

I find it likely that Iran invited the PRC to have a look at
Stuxnet and Wiper and maybe even exchanged some ideas with Iran’s hackers.

But maybe the PRC didn’t even need to visit Tehran.One of the embarrassing secrets of Stuxnet,
marketed to the public as a zero-collateral-damage super precision cyberweapon
targeting Iran’s airgapped computer network at its nasty uranium centrifuge
facility, was more cyber-Ebola, escaping into the cybersphere and infecting
about 100,000 hosts.

Looking at the NSA memo and the Sony hack, it is pretty
plausible that the U.S. state of the art malware capabilities are not just in the hands of Iran and, maybe
the PRC and North Korea.So perhaps the
underlying and unspoken NSA anxiety is that the Stuxnet/Wiper suite of nasties is not
only held by state actors, albeit antagonistic ones, with whom the United
States can engage.

Maybe the NSA (or Israel, which may have mischievously
released Stuxnet just to bedevil anybody else who was controlling banks of
uranium centrifuges with Siemens PLCs) also committed the cyber equivalent of
proliferating WMDs to terrorists: putting the world’s most powerful cyberweapon
in the hands of the black-hat hacking community.

No wonder the US needs CTIIC.Gotta control that story, channel outrage
against the necessary enemy, and short-circuit those embarrassing blowback
accusations.